pyjuju

assigning a unique security group to each machine uses up security group quotas in HPCloud (openstack)

Bug #1027641 reported by Dimitri John Ledkov
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
High
Gustavo Niemeyer
pyjuju
Triaged
High
Unassigned
pyjuju 0.8 "zephr"

Bug Description

There are quotas of security groups on the hpcloud.
It seems like juju is creating a security group per environment and per each machine.
I would have expected juju to reuse a single security group per service.
Cause right now.... single 100 node service.... maxes out security groups - which are all identical...
I understand that this will limit my ability to expose a single machine from a service, or reuse a single machines in overlapping services.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

I think this is a great idea.

There are issues with doing this though. Juju de-couples the machine creation from the purposing of the machine. One can remove a service from a machine, and add another to any machine right now.

Bug #833064 suggests doing the firewall inside the machine using iptables. I think that may be a more flexible approach.

Either way, the bug here is not a "should" but rather juju runs into HPCloud's security group quotas.

summary: - should reuse security groups (openstack/hpcloud)
+ assigning a unique security group to each machine uses up security group
+ quotas in HPCloud (openstack)
Changed in juju:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Kapil Thangavelu (hazmat) wrote :

another option might be to enable group per service via a service constraint. machines associated to the service would not be subject to independent reuse though.

Revision history for this message
Clint Byrum (clint-fewbar) wrote : Re: [Bug 1027641] Re: assigning a unique security group to each machine uses up security group quotas in HPCloud (openstack)

Excerpts from Kapil Thangavelu's message of 2012-07-23 16:11:32 UTC:
> another option might be to enable group per service via a service
> constraint. machines associated to the service would not be subject to
> independent reuse though.
>

+1 this is a great idea, and should be fairly simple to implement.

Martin Packman (gz)
Changed in juju-core:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Dave Cheney (dave-cheney) wrote :

Hi Frank,

Is this still an issue for juju-core ?

Dave

Changed in juju-core:
assignee: nobody → Frank Mueller (themue)
milestone: none → 1.9.4
Revision history for this message
Frank Mueller (themue) wrote :

Today juju-core supports port control per instance or global, not yet per service. AFAIK it's not planned per service, but the mentioned one using iptables. Gustavo, am I still right here?

Changed in juju-core:
assignee: Frank Mueller (themue) → Gustavo Niemeyer (niemeyer)
Dave Cheney (dave-cheney)
Changed in juju-core:
milestone: 1.9.4 → none
Kapil Thangavelu (hazmat)
Changed in juju:
milestone: none → 0.8
Revision history for this message
Nick Veitch (evilnick) wrote :

It may be useful to know that according to HP, the hard limit on security groups is 100, and you have to fill in forms and apply for permission to use any more than 10...

Revision history for this message
William Reade (fwereade) wrote :

As far as I am aware this is fixed: you should be able to set "firewall-mode: global" in environments.yaml to work around this limitation. It's not great -- any open port for any exposed service will be opened on all machines -- but it works around this limitation, so long as you start the environment in this mode (you can't change it in a running environment, sadly).

Service security groups play merry hell with the density story we're currently focused on, so they're not something we're considering at the moment. I think the long-term answer will be per-machine iptables rules (which will be helpful everywhere) in combination with an always-global-mode firewaller.

Changed in juju-core:
status: Confirmed → Fix Released
Curtis Hovey (sinzui)
Changed in juju:
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.